ca siteminder federation runbook for microsoft office 365 · ca siteminder federation runbook for...

CA SiteMinder Federation Runbook for

Microsoft Office 365

Legal Notice 2

Legal Notice

This Documentation, which includes embedded help systems and electronically distributed materials, (hereinaf-

ter referred to as the “Documentation”) is for your informational purposes only and is subject to change or with-

drawal by CA at any time.

This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in

part, without the prior written consent of CA. This Documentation is confidential and proprietary information of

CA and may not be disclosed by you or used for any purpose other than as may be permitted in (i) a separate

agreement between you and CA governing your use of the CA software to which the Documentation relates; or

(ii) a separate confidentiality agreement between you and CA.

Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documen-

tation, you may print or otherwise make available a reasonable number of copies of the Documentation for inter-

nal use by you and your employees in connection with that software, provided that all CA copyright notices and

legends are affixed to each reproduced copy.

The right to print or otherwise make available copies of the Documentation is limited to the period during which

the applicable license for such software remains in full force and effect. Should the license terminate for any rea-

son, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have

been returned to CA or destroyed.

TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS”

WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT

WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT,

FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST

INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY AD-

VISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

The use of any software product referenced in the Documentation is governed by the applicable license agree-

ment and such license agreement is not modified in any way by the terms of this notice.

The manufacturer of this Documentation is CA.

Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to

the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section

252.227-7014(b)(3), as applicable, or their successors.

Copyright © 2012 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced

herein belong to their respective companies.

Legal Notice 3

Support

This document is produced by FuGen Solutions Inc.(www.fugensolutions.com) who can be reached at

[email protected], on behalf of CA Technologies Inc.(www.ca.com)

Contact CA Technologies Contact CA Support

For your convenience, CA Technologies provides one site where you can access the information that

you need for your Home Office, Small Business, and Enterprise CA Technologies products. At

http://ca.com/support, you can access the following resources:

Online and telephone contact information for technical assistance and customer services

Information about user communities and forums

Product and documentation downloads

CA Support policies and guidelines

Other helpful resources appropriate for your product

Providing Feedback About Product Documentation

If you have comments or questions about CA Technologies product documentation, you can send a

message to [email protected] or [email protected]

http://www.fugensolutions.com/

mailto:[email protected]

http://www.ca.com/

http://www.ca.com/support



Contents 4

Contents

Legal Notice .................................................................................................................... 2

Contents .......................................................................................................................... 4

Chapter 1: SaaS Partner Introduction .......................................................................... 6

Overview ..................................................................................................................... 6

Partnership Process .................................................................................................... 6

Prerequisites.......................................................................................................... 6

Manual Directory Synchronization Example .......................................................... 8

Target Microsoft Office 365 Services ..................................................................... 9

Chapter 2: Configure CA SiteMinder (12.52) as Identity Provider ............................ 10

Configure Identity Provider and Service Provider Entities ......................................... 10

Local Entity Creation ........................................................................................... 10

Remote Entity Creation ........................................................................................11

Configure Federation Partnership between CA – SiteMinder (IDP) & Microsoft Office 365 (RP) ..................................................................................................................... 12

Configure Partnership .......................................................................................... 12

Federation Users ................................................................................................. 13

Assertion Configuration ....................................................................................... 14

SSO and SLO ...................................................................................................... 15

Configure Signature and Encryption .................................................................... 15

Partnership Activation .......................................................................................... 16

Chapter 3: Configure Service Provider ...................................................................... 17

Configure Microsoft Office365 ................................................................................... 17

Directory Synchronization (Synchronize On-Premise AD users to Office 365 Cloud) 17

Activate Synchronized User:................................................................................ 21

Configure partnership in Windows Active Directory for Windows Power Shell .... 23

User Role Assigning ............................................................................................ 25

Chapter 4: Federation Testing & Target Services ...................................................... 26

Federation Testing .................................................................................................... 26

Identity Provider Initiated Testing ......................................................................... 26

Service Provider Initiated Testing ........................................................................ 27

Contents 5

Single Logout....................................................................................................... 28

Federation testing for Active Profile .......................................................................... 29

Microsoft Lync 2013: ............................................................................................ 29

Microsoft Outlook 2013 ........................................................................................ 31

Chapter 5: Exception Handling ................................................................................... 36

Exception Cases ....................................................................................................... 36

When the SiteMinder Partnership is Inactive ....................................................... 36

When Service Provider Entity ID was misconfigured on the SiteMinder Side ...... 36

When Identity Provider Entity ID was misconfigured on the SiteMinder Side ...... 37

When Service Provider Security Token Consumer Service URL was misconfigured on the SiteMinder Side ........................................................................................ 37

Audience Field was misconfigured on the SiteMinder Side ................................. 38

Name ID Format values was misconfigured on the SiteMinder Side ................... 38

User who is not in the Microsoft Office 365 trying to login through SiteMinder .... 38

SiteMinder User who doesn’t have desired attributes in the user store ............... 39

Chapter 6: Summary .................................................................................................... 40

Chapter 1: SaaS Partner Introduction 6

Chapter 1: SaaS Partner Introduction

This section contains the following topics: Overview

Partnership Process

Prerequisites

Manual Directory Synchronization Example

Target Microsoft Office 365 Services

Overview

The scope of the document is to provide the necessary steps to configure the federation part-

nership to achieve SSO (Single-Sign-On) between CA SiteMinder 12.52, acting as the WS-Fed

Identity Provider (IDP), and Microsoft Office 365 acting as the WS-Fed Resource Partner (RP).

Partnership Process

The partnership creation for each partner involves the following steps:

1. Installing and configuring the prerequisites

2. Configuring SiteMinder as an Identity Provider

3. Configuring the Service Provider

4. Testing the Federated SSO

Prerequisites

Prerequisites for CA SiteMinder and CA Secure Proxy Server

Installation of CA SiteMinder 12.52 Suite

Creation of Signed Certificate by a well-known Certificate Authority such as VeriSign, En-trust, Thawte or Go Daddy for Identity Provider Digital Signature.

Important! - The Federation Partnership Authentication URL must be protected by Site-Minder with persistent sessions enabled.


Identity Provider Authentication URL is protected by creating following objects:

o Authentication Scheme

o Domain

o Realm

o Rule & Policy

Notes: Protecting the Authentication URL ensures that a user requesting a protected federated

resource is presented with an authentication challenge if they do not have a SiteMinder session

at the Identity Provider.

Installation of CA SiteMinder Secure Proxy Server 12.52

Protect CA Secure Proxy Server Admin UI

Navigate to the Agent which registered during CA Secure Proxy Server Configuration. It should be in the following format [DOMAIN-SPSADMINUI-{agentname}]. e.g. DOMAIN-SPSADMINUI-caspsagent.) Add User Directory and Policy to this domain.

Log into CA Secure Proxy Server and create Security Token Service (STS) with CA Site-Minder Partnership Name (e.g. SamplePartnership-Office365)

Place the SSL public cert and SSL private key in SPS and enable SSL on CA SiteMinder SPS

Review STS logs to make sure STS is functional at secure-proxy_install_dir/proxy-engine/logs/partnership_name.log. Message stating STS initialization is complete indicates that STS is running. Or Type following URL https://{sps-domainName}/{CA-SiteMinder-PartnershipName}/ws-username and following message confirms STS is functional

Test Secure Proxy Server – After restarting the CA Secure Proxy Server, type the following URL in the browser and verify if CA Secure Proxy Server is working as ex-pected.https://{sps-domainName}/affwebservices/assertionretriever


The STS must have internet access.

Pre-Requisites for Microsoft Office 365 Single Sign-On

Microsoft Office 365 – Enterprise Account

DNS information to register a domain with your DNS provider.

Registered Domain and Active Directory domain must be the same in order to synchronize the Active Directory users to Office 365.

Install the Windows Azure Active Directory Module described here: http://aka.ms/aadposh which requires the Online Services Sign-In Assistant: http://go.microsoft.com/fwlink/?LinkId=286152

Download Office 365 desktop client Application.

User synchronization between your user store and Office 365. Password synchronization is not required. The following synchronization methods are supported:

Manual synchronization: Use Windows Azure AD Module for Windows PowerShell. This

method is adequate for testing SSO.

Microsoft Directory Sync tool: Microsoft provides a tool for synchronizing Active Directo-ry with Office 365. This method is adequate when user accounts are stored in a single Active Directory domain.

CA Identity Minder connector for Office 365: CA provides an Identity Minder connector

for Office 365 for user synchronization. This method works well when user accounts are stored in Active Directory, CA Directory, LDAP, or RDBMS.

Manual Directory Synchronization Example

This example demonstrates copying an Active Directory user to Office 365.

Open the Windows Azure Active Directory Module for Windows PowerShell and run the following

commands. Provide your own values for upn and location.

Syntax:

$User = Get-ADUser -f {userPrincipalName -eq "[upn]"}

$ImmutableID = [System.Convert]::ToBase64String($User.objectguid.ToByteArray())

http://aka.ms/aadposh

http://go.microsoft.com/fwlink/?LinkId=286152


New-MsolUser -UserPrincipalName $User.userPrincipalName -immutableID $ImmutableID -LastName $User.surname -FirstName $User.givenName -DisplayName $Us-er.displayName -UsageLocation [location]

upn Login name of the user.

For example: [email protected]

location Two letter country code of the user. For example "US"

.

Target Microsoft Office 365 Services

The following services of Microsoft Office 365 have been tested for federation using CA Site-

Minder 12.52 as Identity Provider.

Outlook

Lync

Sky Drive

SharePoint Online

Chapter 2: Configure CA SiteMinder (12.52) as Identity Provider

10


This section contains the following topics:

Configure Identity Provider and Service Provider Entities

Configure Federation Partnership between CA – SiteMinder (IDP) & Microsoft Office 365 (RP)

Configure Identity Provider and Service Provider Entities

To create Entities, Login to CA SiteMinder and navigate to Federation Partnership Federation

Entity Create Entity

Local Entity Creation

Configure Local Identity Provider Entity with following details:

o Entity Location – Local

o Entity Type – WSFED Identity Provider

o SAML Token Type – SAML 1.1

o Entity ID – Any (e.g. https://ca-technologies.fugen.com)

o Entity Name – Any (e.g. SampleEntity-WSFed-SAML1.1)

o Base URL – https://<FWS_FQDN> where FWS_FQDN is the fully-qualified domain

name for the host serving SiteMinder Federation Web Services (e.g. ca-

technologies.fugen.com)

o Disambiguation ID – Unique identifier for the partnership (e.g. samlsso)

o Signing Private Key Alias – Select the correct private key alias or import one (e.g.

catech)

o Supported Name ID format – Unspecified


11

o Click “Finish”.

Remote Entity Creation

Remote Entity can be created either through metadata import or manually. To configure

Remote SP Entity manually, select Create Entity

Create Microsoft Office 365 Remote Entity with following details

o Entity Location – Remote


12

o New Entity Type – WSFED Resource Provider

o SAML Token Type – SAML 1.1

o Entity ID – urn:federation:MicrosoftOnline

o Entity Name – Any (e.g. MicrosoftOffice365)

o Description – Any (e.g. WSFED RP for Office 365)

o Remote Security Token Consumer Service URL - https://login.microsoftonline.com

o Remote Sign-Out URL – https://login.microsoftonline.com

o Supported Name ID Formats – Unspecified

o Click “Finish”

Configure Federation Partnership between CA – SiteMinder (IDP) & Microsoft Office 365 (RP)

Login to CA SiteMinder and navigate to Federation Partnership Federation Create Partnership

Select WSFED IP RP

Configure Partnership

Add Partnership Name – Any (e.g. SamplePartnership-Office365)

Local IDP ID – Select Local IDP ID (e.g. https://ca-technologies.fugen.com)

https://login.microsoftonline.com/

https://ca-technologies.fugen.com/


13

Remote SP ID – Select Remote SP ID(urn:federation:MicrosoftOnline)

Base URL – Will be pre-populated

Skew Time – Any per environment requirement(e.g. 30)

Enable Metadata Exchange – Select the check box.

STS for WSFED Active Profile – Select the check box.

Select the user store (e.g. smuserstore) from the “Available Directories”

Note: Make sure this partnership name is same as the value given in CA Secure Proxy Server STS

Federation Users

Configure Federation Users – Accept default values


14

Assertion Configuration

Name ID Format:

Name ID Format – Unspecified

Name ID Type – User Attribute

Value – EmailAddress (LDAP Attribute name which contains Immutable ID)

Assertion Attributes:

Assertion Attribute – UPN

Namespace – http://schemas.xmlsoap.org/claims

Type – User Attribute

Value – name (LDAP Attribute name which contains UPN - name)

Assertion Attributes:

Assertion Attribute – ImmutableID

Namespace – http://schemas.microsoft.com/LiveID/Federation/2008/05

Type – User Attribute

Value – emailAddress (LDAP Attribute name which contains Immutable ID)


15

SSO and SLO

Authentication URL – URL that is protected by SiteMinder as mentioned in pre-requisites

(e.g.: http://ca-technologies.fugen.com/affwebservices/redirect.jsp)

SSO Binding – Select SSO Binding supported by the Service Provider – HTTP-Post

Audience – urn:federation:MicrosoftOnline

Security Token Consumer Service URL – https://login.microsoftonline.com

Enable Sign-Out - checked

Add Sign-out Confirmation URL –

https://login.microsoftonline.com/login.srf?wa=wsignoutcleanup1.0

Add Sign-out URL – URL of the wsfeddispatcher service e.g. https://ca-

technologies.fugen.com/affwebservices/public/wsfeddispatcher/msol-ca-

technologies.fugen.com

Configure Signature and Encryption

Signing Private Key Alias – Verify correct Private Key Alias is selected

https://login.microsoftonline.com/


16

On confirmation screen make sure STS information are displayed correctly. Confirm remain-

ing values and finish Partnership.

Partnership Activation

Activate the created Partnership.

Chapter 3: Configure Service Provider 17

Chapter 3: Configure Service Provider


Directory Synchronization (Synchronize On-Premise AD users to Office 365 Cloud)

Activate Synchronized User:

Configure partnership in Windows Active Directory for Windows Power Shell

Configure Microsoft Office365

Directory Synchronization (Synchronize On-Premise AD users to Office 365 Cloud)

Activate Directory Synchronization:

Activate directory synchronization to use your on-premises Activate Directory to add users to

Microsoft Office 365. Steps to follow to activate directory synchronization:

Login to Microsoft portal online using the enterprise admin account.

Click “Users and Group” and Click “Activate”

Click on “Activate” in Step 3 and click “Download” to download the Directory Sync Tool.


Click on “Activate”.

Once it has been activated, following message will be shown.


Configure Directory Synchronization:

Note: Do not run this tool using the Admin account of Active Directory Domain Controller; use

any other user account to run this tool. Admin credentials are required, however.

Open Directory Sync tool and click “Next”.

Provide Microsoft Office 365 login credentials and click “Next”.


Provide Active Directory Credentials and click “Next”.

Click on “Next” Next Next and Finish on upcoming screens


Activate Synchronized User:

Assign Licenses and Active Synchronized Users:

To activate synchronized users from Active Directory, select the user and click “ ” icon

Select services for the particular user and click “Next”.

Note: User will be able to login only to the selected services.


Provide the email address in order to send credentials via email and click “Activate”.

Click on “Finish”.


Configure partnership in Windows Active Directory for Windows Power Shell

Launch Windows Azure Active Directory Module for Windows PowerShell as an Adminis-

trator.

Connect to Office 365 as a Microsoft Office 365 Administrator:

Type the following command in Microsoft PowerShell

Connect-MsolService

Change the Domain Authentication method to “Federated”

Note: Line breaks are only shown here for formatting and readability purposes

Set-MsolDomainAuthentication

-Authentication Federated

-DomainName <domain name>

-FederationBrandName <any name>

-IssuerUri <Identity provider URI>

-LogOffUri <Identity provider Logoff URI>


-PassiveLogOnUri <Identity provider Passive logon URI>

-SigningCertificate <IP Signing certificate>

e.g.

Set-MsolDomainAuthentication

-Authentication Federated

-DomainName ca-technologies.fugen.com

-FederationBrandName ca-technologies.fugen.com

-IssuerUri https://ca-technologies.fugen.com

-LogOffUri https://ca-technologies.fugen.com/affwebservices/public/wsfeddispatcher/samlsso

-PassiveLogOnUri https://ca-technologies.fugen.com/affwebservices/public/wsfeddispatcher/samlsso

-SigningCertificate "MIIEmDCCAoCgAw…..5WifUBkgA=="

Note: If you are updating values after the authentication method is set to Federated then you must

use the command Set-MsolDomainFederationSettings

Set-MsolDomainFederationSettings

-DomainName<domain name>

-FederationBrandName<any name>

-PreferredAuthenticationProtocol WsFed

-IssuerUri <Identity provider URI>

-LogOffUri <Identity provider Logoff URI>

-ActiveLogOnUri<Identity Provider Active LogOnURI>

-PassiveLogOnUri <Identity provider Passive logon URI>

-SigningCertificate <IP Signing certificate>

e.g.

Set-MsolDomainFederationSettings

-DomainName ca-technologies.fugen.com

-FederationBrandName ca-technologies.fugen.com

-IssuerUri https://ca-technologies.fugen.com

-LogOffUri https://ca-technologies.fugen.com/affwebservices/public/wsfeddispatcher/samlsso

-ActiveLogOnUri https://ca-technologies.fugen.com/SamplePartnership-Office365/ws-username

-PassiveLogOnUri https://ca-technologies.fugen.com/affwebservices/public/wsfeddispatcher/samlsso

-PreferredAuthenticationProtocol WsFed


-SigningCertificate "MIIEmDCCAoCgAw…..5WifUBkgA=="

User Role Assigning

Get to Users and Groups Tab and select the user to be tested (e.g. iduser)

Select all applications as shown below:

Chapter 4: Federation Testing & Target Services 26

Chapter 4: Federation Testing & Target Servic-es


Federation Testing

Federation testing for Active Profile

Federation Testing

Microsoft Office 365 supports both Service Provider and Identity Provider initiated login. This

version of Microsoft Office 365 does not support Mobile Application login via federated Single

Sign-On.

Identity Provider Initiated Testing

Access URL - https://ca-technolo-gies.fugen.com/affwebservices/public/wsfeddispatcher/samlsso?wa=wsignin1.0&wtrealm=urn:federation:MicrosoftOnline

Enter the credentials and click login

User will be landing at the Microsoft Office 365 home page


Service Provider Initiated Testing

Access URL – portal.microsoftonline.com

This will automatically direct the user to the login page of Identity Provider (SiteMinder).

Enter the credentials and click login


User will be landing at the Microsoft Office 365 home page

Single Logout

Navigate to Admin and select Sign out


After Logout redirected to Login Screen as configured in SLO step

Federation testing for Active Profile

Microsoft Lync 2013:

Download Lync 2013 app

Login to Microsoft Lync 2013 with Active Directory login credentials.


Provide Active Directory login password.

After Successful login, user can login into Lync 2013 application using Active Logon.


Microsoft Outlook 2013

Configure Microsoft Outlook 2013–Navigate to File Data File Management

Click “New”

Choose “Microsoft Exchange,POP3, IMAP, or HTTP” and Click “Next”


Select “Manually Configure server settings or additional server types” and Click “Next”

Select “Internet E-mail” and click on “Next”

Provide E-mail Settings

o Email-Address – Provider email Address of the user

o Account Type – Select “POP3”

o Incoming mail server – outlook.office365.com

o Outgoing mail server(SMTP) – smtp.office365.com

o Username – Provide emailAddress of the user

o Password – Provide user password

Click “More Settings”


Click “Advanced” tab.

o Under Server Port Numbers, do the following changes

o Incoming Server(POP3) – 995

o Check “This server requires an encrypted connection(SSL)”

o Outgoing server(SMTP) – 587

o Use the following type of encrypted connection – Select “TLS”

Click “Ok”


Click “Outgoing Server” tab and select “My outgoing server (SMTP) requires authentication”

and click “OK”

Click “Next”


Click “Finish”

Once configuration is completed, user should be able to access Outlook emails.

Chapter 5: Exception Handling 36

Chapter 5: Exception Handling

This section contains the following exceptions:

When the SiteMinder Partnership is Inactive

When Service Provider Entity ID was misconfigured on the SiteMinder Side

When Identity Provider Entity ID was misconfigured on the SiteMinder Side

When Service Provider Security Token Consumer Service URL was misconfigured on the Site-Minder Side

Audience Field was misconfigured on the SiteMinder Side

Name ID Format values was misconfigured on the SiteMinder Side

User who is not in the Microsoft Office 365 trying to login through SiteMinder

SiteMinder User who doesn’t have desired attributes in the user store

Exception Cases

When the SiteMinder Partnership is Inactive

When SiteMinder Partnership is Inactive or not Defined, following error appears on browser

When Service Provider Entity ID was misconfigured on the SiteMinder Side

Entity ID used https://ca-technologies.fugen.com/office

Result Fails at the Microsoft Office 365 side and displays the error given below.


When Identity Provider Entity ID was misconfigured on the SiteMinder Side

Entity ID used urn:federation:MicrosoftOnline/fugen

Result Fails before authentication and displays the error given below.

When Service Provider Security Token Consumer Service URL was misconfigured on the SiteMinder Side

Security Token Consumer Service URL used https://login.microsoftonline.com/fugen

Result Redirects to the specified URL after authentication with a blank page


Audience Field was misconfigured on the SiteMinder Side

Audience used urn:federation:MicrosoftOnline

Result Authentication at the Microsoft Office 365 fails and displays the error given below.

Name ID Format values was misconfigured on the SiteMinder Side

Name ID Format used X509 Subject Name

Result Works fine without any issue. Change of attributes only matter.

User who is not in the Microsoft Office 365 trying to login through SiteMinder

User ID used demouser1

Result User does not exist in Microsoft Office 365and produce following error


SiteMinder User who doesn’t have desired attributes in the user store

User ID used feduser1

This user doesn’t have the email id attribute which is the Name ID Format used in the Partner-

ship.

Result After authentication, following error page appears.

Chapter 6: Summary 40

Chapter 6: Summary

Microsoft Office 365 supports both Identity Provider and Service Provider-initiated scenario

Microsoft Office 365 services federation via Browser-SSO is tested

SPS is configured for Microsoft 365.

No backchannel or artifact based profiles are implemented at Microsoft Office 365

The SSO, assertion consumer and target URLs are all https

Microsoft Office 365 Single Logout Service URL is tested

The following services provided by Microsoft Office 365 have been tested for desktop

browser environment

Lync

Outlook

SkyDrive

SharePoint Online

ca siteminder federation runbook for microsoft office 365 · ca siteminder federation runbook for...

Documents